The quality and security levels of open source code are continuing to improve, according to the latest annual audit by code analysis tools vendor Coverity.
The third edition of the Coverity Scan Open Source report measured a 16 per cent reduction in static analysis defect density over the past three years among the projects …

Some Limitations

"The mix of defect types identified in the process remains consistent. NULL Pointers, resource leaks and unintentional ignored expressions have consistently remained the main problem areas for coders."

Er, I think you'll find that what "remains consistent" is the kind of problem that static analysis can find, not the problems going into the code. There's a whole class of "insecure by design" flaws (such as trusting external input) that simply aren't explicit at the source code level and so will escape detection by these tools.

You'll also find that the vast majority of resource leaks could be plugged by systematic use of resource handling classes and that the compiler would have warned about that ignored expression if you hadn't trodden on the warning. Therefore, there are better ways of avoiding these problems than marking up all your code for static analysis. (You only get the full benefit if you mark up the OS headers, too, which isn't going to happen for the vast majority of people. To their credit, Microsoft have PreFASTed the Windows headers, so if you are only targetting that platform and willing to use their tool, the approach is just about feasible.)

On the other hand, these are real flaws in real code and it is good that someone continues to bang on about the large numbers of such, even if the solution they are selling is probably the wrong one.

"Open source code quality improving"

Good. Now all that's needed is to format and document the code (most of it anyway) so that it doesn't look like a five year old produced it. For obvious reasons open source programmers would rather code than document. As they don't get paid for either they do what they like best.

For example, you haven't lived until you have hacked into some Linux video drivers or MM software. It's like wading through a huge intellectual garbage dump.

Note to Linuxers: Don't bother flaming me. Use the energy to put some comments in your code.

Are register reader really stupid?

Measuring fewer over time. Well, only if the code base isn't increasing over time. This report shows that the code going in and the code already there are both suffering less static coding issues.

Of course static analysis only find static faults - that why it's called static analysis. It doesn't mean it not a worthwhile thing to do. As for resource handling classes - well, yes, they can help a lot with resource leaks. IF you are using a language that supports them. The Linux kernel (and lots of the other apps presumably covered in the report) is written in C, so there is no obvious (read efficient) way of doing this.

Shite to tripe. Hmmm. I have seen closed source code that you probably use in your mobile phone that is way worse than most OSS stuff I have seen. There is certainly some bad OSS code, but there also a lot of very good code. There is also a lot of bad Closed code (probably more than than OSS as there is more of it full stop)

But, Joe M ...

Most Linux video (and other hardware) drivers are in fact identical to both the Windows and Mac equivalents. Those that originate from nvidia (urgh) certainly do. I've seen them. The only difference is that they are in a different binary representation - reflecting the platform they are compiled for.

Indeed, most Linux distros even allow Windows drivers for all kinds of hardware to be used quite successfully using a wrapper function where a native Linux driver is not available.

If the drivers are so poor in quality, then the Windows and Mac ones are just as bad.

Me, I don't know any five year-olds who write code professionally. I do, however, comment all my code extensively (as do most other developers I have had to work with). If you think other people's work is such "a huge intellectual garbage dump" please feel free to forward your own work for consideration. I'm sure we'd all have such a lot to learn from you about writing hardware drivers.

Remember That Linus Guy?

You know the one that invented Linux and just this week said it was becoming fat and bloated?

There's a catch to this story that I'm sure some people have caught, it's that security, quality, and user experience = bloat.

You can't have all three things, Microsoft learned this years ago and just accept the bloat - that's where OSS is going to have to go as well -there aren't really any other options. Just suck it up and accept MS now or accept MS under another name in the near future.

@sigxcpu

A view from the inside.... sort-of

>>I wonder if they had a control group of projects which they ran Coverity on and which they didn't report any of the flaws that they found?

They scan projects that people suggest to them. From whats visible they _might_ use the projects which don't officially sign up developers to get reports as a baseline of the general environment. Would be biased though since they are likely to be the small ones.

>> Do you know ANY OS/commercial project that has 39 million LOC?

From the weird results I've had to wade through to find the bugs sometimes it seems to me that they scan the latest release of all available versions of the project. So you have to divide that 39M again by the number of active supported releases.

... or maybe the billion is the aggregate number of scans run (at one per day or so).

The largest project on their list is KDE with over 4 Mega lines. You can see the project list at http://scan.coverity.com/rungAll.html

>> You only get the full benefit if you mark up the OS headers, too, which isn't going to happen for the vast majority of people

It's annoying but I suppose useful, coverity report any OS flaws that are in code used by the FOSS project and count them against the project itself. Though I suppose it increases the pressure from app devs to the OS devs to get the OS fixed too, and get app devs to migrate to safer libraries.

FAIL!

The title of this story is "Open source code quality improving" and suddenly a handful of MS shills comment trying to discredit open source. They use words like bloatware, shite, garbage etc., all in an desperate attempt to push a negative image of open source.

Open source and open standards are the future (even major software companies are beginning to realise it). Closed source and closed standards will only lead to the monopolization of data management and distribution and that is NOT acceptable for all kinds of reasons.

So I suggest you crawl back under your shitty, slimy rocks you horrible little FUD pushers.

@mrweekender

Hear hear! I've read a lot of FOSS code and I have nothing but respect for the people who worked on it. If you find a problem, stop gurning and fix it, and thank the people that laid the foundations even if they left off a bit of polish.

As for these 'open source bloatware' allegations - well, I haven't seen it. Most of my machines are sub 1GHz Pentium 3 or below and clipping along just fine. A good few are not even Windows XP capable, let alone Vista / 7, but on Linux they're years from retirement and still doing useful work and running up to date code.